It’s said that necessity is the mother of Invention. If that’s true, then absurdity is the weird uncle that makes you laugh while shaking your head in wonder.
I’ve been Blue Team for my entire career, focused on keeping bad actors out of a network while utilizing technical controls that are fairly well established. It was all about the design and implementation of these controls, rather than attacking the systems to validate the design.
I wanted to change my viewpoint, so I attended a boot camp for the EC-Council certification “Certified Ethical Hacker.” The course was, realistically, my first foray into the offensive side of security.
After completing this course and obtaining the credential, I wanted to build on the skills and learn more about the tools we were using. I decided to start spinning up VMs on hardware I had lying around.
The old gaming rig that I had recently retired seemed more than a little lacking in resources, and was old enough that getting the additional RAM was astonishingly expensive. I then decided to look for alternatives that might be more cost effective. Enter the humble Raspberry Pi computer.
I’d been interested in coming up with a project that would use the Raspberry Pi for some time, and reckoned that one could use it as a test system to run as a victim server in a home lab. Low cost, fun computer? A perfect fit.
Getting the computer in hand, I starting playing around with it and setting up a basic LAMP stack. I was considering how best to ensure that there were vulnerable versions of software running on the device when I was pointed to the DVWA project. Using this as my base for a victim server, I was just about ready to start attacking it from a Kali VM when a friend offered me another Raspberry Pi he had lying dormant.
Of course, why not run Kali on the second Raspberry Pi, and use it to attack the victim server? I began brainstorming how best to control these devices and considered making a small self-contained lab.
An idea began to form in my mind to take these two devices and install them into a briefcase or tool box, and make a portable lab out of it. I started talking to friends and colleagues about this idea and it became fairly popular, if a little silly.
The Snowball Effect
It seems obvious now, that the pieces of this lab were not only readily available, but easily obtained. Raspberry Pi computers are inexpensive and can be obtained quickly. Discount tool stores have the tool case I used available every day. The software is out there and ready to use with only a little configuration. All of the pieces were in plain sight; what was missing was a mission.
Why would I do this? What purpose should this have other than to be a toy for me to use to develop skills?
I felt it could be more than the sum of its parts. It then became apparent that this could be used to train others, the next generation of infosec professionals. It could be a repeatable, low-cost way for someone to have all of the tools available to them for beginner pen testing training.
I envision that this project can be presented to a computer class or scout meeting and get kids interested in security.
With this in mind, I started looking for solutions that were both more elegant than some of my early choices and made the system more approachable to a novice user. I tackled the power first, looking for a way to be able to eliminate as many of the nasty wall warts (large plugs that take up valuable space on a power strip) as I could.
I then discovered the wonders of USB powered LED displays. I toyed with using wireless and found an inexpensive USB-powered AP. I talked to people at work and online about ways that I could make this better.
The Hackinabox, as I had begun calling it, inched closer and closer to reality.
It’s my hope that I can offer this tool up, not only as a way for me to play around with Kali and hone my own skills, but to be the blueprint of a system that others can take and train the next generation of hackers and security professionals.
To see the build sheet and hear about the progression and evolution of the Hackinabox, please attend my session at BSides SLC on March 10-11.
About the Author: Marv White is a Network Security Analyst, CISSP and C|EH. When not avoiding teaching himself new skills by creating toys, he reads obsessively, follows obscure sports and dabbles in several hobbies.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
Title image courtesy of ShutterStock